Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista 64 - 32-bit wmplayer.exe faults


  • Please log in to reply
16 replies to this topic

#1 Setharoth

Setharoth

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 18 March 2010 - 09:25 PM

The consistent issue is that wmplayer.exe 32bit faults on running. The failure in the event log looks like:
Log Name: Application
Source: Application Error
Date: 3/18/2010 7:45:11 PM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: alucard
Description:
Faulting application wmplayer.exe, version 11.0.6002.18111, time stamp 0x4aa91411, faulting module WTSAPI32.dll, version 6.0.6001.18000, time stamp 0x4791a78d, exception code 0xc0000005, fault offset 0x00001ea1, process id 0x9bc, application start time 0x01cac705d02ceca2.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-03-19T01:45:11.000Z" />
<EventRecordID>14856</EventRecordID>
<Channel>Application</Channel>
<Computer>alucard</Computer>
<Security />
</System>
<EventData>
<Data>wmplayer.exe</Data>
<Data>11.0.6002.18111</Data>
<Data>4aa91411</Data>
<Data>WTSAPI32.dll</Data>
<Data>6.0.6001.18000</Data>
<Data>4791a78d</Data>
<Data>c0000005</Data>
<Data>00001ea1</Data>
<Data>9bc</Data>
<Data>01cac705d02ceca2</Data>
</EventData>
</Event>

( Windows solution is to make sure I'm up to date, the machine is up to date with Windows updates ).

I am on:
Windows Vista Service Pack 2
64-bit Operating System

The faulting is consistent, every time its executed this happens.

History ( not sure whats relevant or not, so dumping all I can remember):
A few weeks ago updated avast from 4.8 to 5. Installed UFO from steam.
Avast never seemed to run, like the process never really started. Nothing I did seemed to fix it, ended up safe-mode running the avast remover.
UFO seemed to fault fairly often. ( Apparently not that uncommon for the game ).
Started noticing more faults, bluescreen stops ( not sure on what ), etc.
Since I use VLC most of the time only last week did I notice that wmplayer.exe never ran.
( Plugged in a PDA, started to do some sync or some such, never really started. )
Bought Norton, could not install, couldn't figure out really why. ( Can try again if desired ).


Odd bit: wmplayer.exe, if I use the Start-> link, or enter in that name, calls Program Files (x86)\... which fails. If I tell it to run
C:\Program Files\Windows Media Player\wmplayer.exe
It works just fine. ( So 32-bit wmp fails, 64-bit works ).


When some googling pointed at possible virus/rootkit for this failure, I have tried:
SanityCheck, nothing reported ( once I stopped DaemonTools with defogger ).
Malwarebytes, no issues reported.
Microsoft Security Essentials, no issues reported.
Sophos Anti-rootkit. Clean.
Norton offline scan, but since my windows drive is on a raid 0 partition, it can't scan it. ( Scanned my backup drive, nothing odd there ).
Gmer mbr.exe fails since machine is 64-bit is looks like:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: error reading MBR
Some online scan recommended in the forums here, sorry, already uninstalled, clean.



I'm beginning to think its not an infection, instead some sort of library failure.

I've got stuff backed up and disks handy for a complete re-install, but wanted to run though whatever steps to make sure its not infection, so I know if I should go down the reset all passwords/warn financial institutions route as well.

Or try to dig more into this and preferably fix whatever is wrong.

Thanks,
Seth

BC AdBot (Login to Remove)

 


#2 Setharoth

Setharoth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 18 March 2010 - 09:40 PM

More info:
Another part of trying to track this down, tried uninstalling most things installed after I remember this starting, including 2005/2008 C++ redistribution packs, Windows LIVE gaming installs.

No change after those steps.

Seth

#3 Setharoth

Setharoth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 18 March 2010 - 10:05 PM

Ok, found another command to run, seems to have found something. I ran sfc.exe /scannow, and it ended up with:
2010-03-18 20:49:40, Info CSI 000002e7 Creating NT transaction (seq 1), objectname [6]"(null)"
2010-03-18 20:49:40, Info CSI 000002e8 Created NT transaction (seq 1) result 0x00000000, handle @0xdcc
2010-03-18 20:49:40, Info CSI 000002e9 Sharing violation at NtCreateFile - giving up after 30 (0x000000000000001e) retries!!
Flags = (AllowSharingViolation|AllowAccessDenied)
DesiredAccess = (FILE_GENERIC_READ|DELETE|WRITE_DAC|WRITE_OWNER|FILE_WRITE_ATTRIBUTES|FILE_WRITE_EA|FILE_APPEND_DATA|FILE_WRITE_DATA|0x00000040)
ObjectAttributes = @0x16be060->OBJECT_ATTRIBUTES {s:48; rd:NULL; on:[130]"\SystemRoot\WinSxS\x86_microsoft-windows-t..services-publicapis_31bf3856ad364e35_6.0.6001.18000_none_c730eb5dc6553c1b\wtsapi32.dll"; a:(OBJ_CASE_INSENSITIVE)}
AllocationSize = (null)
FileAttributes = (FILE_ATTRIBUTE_NORMAL)
ShareAccess = (FILE_SHARE_READ|FILE_SHARE_WRITE)
CreateDisposition = (unknown enumerant 5)
CreateOptions = (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|0x00004000)
2010-03-18 20:49:40, Error CSI 000002ea (F) STATUS_SHARING_VIOLATION #6170310# from RtlRunPrimitiveOperationsFromCallbacksAgainstSil(...)[gle=0xd0000043]
2010-03-18 20:49:40, Info CSI 000002eb [SR] Unable to complete Verify and Repair transaction because some of the files that need to be repaired are in use. A reboot is required to complete this operation.
2010-03-18 20:49:40, Info CSI 000002ec [SR] Repairing 1 components
2010-03-18 20:49:40, Info CSI 000002ed [SR] Beginning Verify and Repair transaction
2010-03-18 20:49:40, Info CSI 000002ee Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-t..services-publicapis_31bf3856ad364e35_6.0.6001.18000_none_c730eb5dc6553c1b\wtsapi32.dll do not match actual file [l:24{12}]"wtsapi32.dll" :
Found: {l:32 b:X7rv7UbYCGdMNAYFcXl2bS4JPC26kpuLX4+vMe3KRGA=} Expected: {l:32 b:3YoefGcU3wd0Lv32ylq5PNxUf1brjBBmxWpo6DqBjdI=}
2010-03-18 20:49:40, Info CSI 000002ef [SR] Cannot repair member file [l:24{12}]"wtsapi32.dll" of Microsoft-Windows-TerminalServices-PublicApis, Version = 6.0.6001.18000, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2010-03-18 20:49:40, Info CSI 000002f0 [SR] Repaired file \SystemRoot\WinSxS\Manifests\\[l:24{12}]"wtsapi32.dll" by copying from backup
2010-03-18 20:49:40, Info CSI 000002f1 Hashes for file member \??\C:\Windows\SysWOW64\wtsapi32.dll do not match actual file [l:24{12}]"wtsapi32.dll" :
Found: {l:32 b:X7rv7UbYCGdMNAYFcXl2bS4JPC26kpuLX4+vMe3KRGA=} Expected: {l:32 b:3YoefGcU3wd0Lv32ylq5PNxUf1brjBBmxWpo6DqBjdI=}
2010-03-18 20:49:40, Info CSI 000002f2 [SR] Repairing corrupted file [ml:48{24},l:46{23}]"\??\C:\Windows\SysWOW64"\[l:24{12}]"wtsapi32.dll" from store
2010-03-18 20:49:40, Info CSI 000002f3 Repair results created:
POQ 122 starts:
0: Create File: File = [l:260{130}]"\SystemRoot\WinSxS\x86_microsoft-windows-t..services-publicapis_31bf3856ad364e35_6.0.6001.18000_none_c730eb5dc6553c1b\wtsapi32.dll", Attributes = 00000080
1: Move File: Source = [l:168{84}]"\SystemRoot\WinSxS\Temp\PendingRenames\6a9655d20ec7ca010c350000f00a3813.wtsapi32.dll", Destination = [l:260{130}]"\SystemRoot\WinSxS\x86_microsoft-windows-t..services-publicapis_31bf3856ad364e35_6.0.6001.18000_none_c730eb5dc6553c1b\wtsapi32.dll"
2: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\eab05bd20ec7ca010d350000f00a3813._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
3: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\92125cd20ec7ca010e350000f00a3813.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"
4: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\027764d20ec7ca010f350000f00a3813.$$_syswow64_21ffbdd2a2dd92e0.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms"
5: Hard Link File: Source = [l:260{130}]"\SystemRoot\WinSxS\x86_microsoft-windows-t..services-publicapis_31bf3856ad364e35_6.0.6001.18000_none_c730eb5dc6553c1b\wtsapi32.dll", Destination = [l:72{36}]"\??\C:\Windows\SysWOW64\wtsapi32.dll"

POQ 122 ends.
2010-03-18 20:49:40, Info CSI 000002f4 [SR] Repair complete
2010-03-18 20:49:40, Info CSI 000002f5 Creating NT transaction (seq 2), objectname [6]"(null)"
2010-03-18 20:49:40, Info CSI 000002f6 Created NT transaction (seq 2) result 0x00000000, handle @0x204
2010-03-18 20:49:40, Info CSI 000002f7@2010/3/19:02:49:40.744 CSI perf trace:
CSIPERF:TXCOMMIT;26622


Lets restart and see how things go....

Is that safe? I'll wait a while before actually restarting if someone wants to yell at me to stop.

Seth

#4 DeathStalker

DeathStalker

  • Banned
  • 868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 PM

Posted 19 March 2010 - 07:53 AM

So what happened? Did it work?

#5 Setharoth

Setharoth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 19 March 2010 - 09:01 AM

We will see shortly. Ended up installing SuperAntiSpyware, letting it run over night instead. Found cookies, now I reboot....

Seth

#6 Setharoth

Setharoth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 19 March 2010 - 09:09 AM

No more segfaulting windows media player 32-bit. :huh:

Seth

#7 DeathStalker

DeathStalker

  • Banned
  • 868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 PM

Posted 19 March 2010 - 09:15 AM

SAS errors on 64 bit windows. You may want to use the uninstall tool they have to get rid of it and then load the 64 bit Beta. You have to register to their forums to get it I think, and it may not be out for "public" use yet. I got it when I emailed them about the errors I was getting with their SAS Pro version and my 64 bit Vista.

#8 Setharoth

Setharoth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 19 March 2010 - 09:29 AM

Thanks for the warning.

But maybe they updated their software.
I installed, tested ( found cookies ), uninstalled all successfully.

Seth

#9 DeathStalker

DeathStalker

  • Banned
  • 868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 PM

Posted 19 March 2010 - 09:40 AM

Nope, they haven't. All this transpired in the last week, me contacting them and their response. If you go to administrative tools, event viewer, custom views, administrative events, I bet you will find the following either one or both of the following errors:

\??\C:\Program Files (x86)\SUPERAntiSpyware\SASKUTIL.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

The SASKUTIL service failed to start due to the following error:
This driver has been blocked from loading

Their forums stated that the 64 bit edition should be out this month. I didn't look to see if they were still allowing downloads of the pre-release 64 bit though. The forums are here, but you have to register to even read them.

#10 Setharoth

Setharoth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 19 March 2010 - 09:48 AM

Yes, I see those. Funny, aside from that it looked like it all had worked fine.

With wtsapi32.dll repaired by sfc, Norton now installed and is checking things out.

( Previously it failed just like wmplayer, on wtsapi32.dll when trying to start its service framework ).

Seth

#11 DeathStalker

DeathStalker

  • Banned
  • 868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 PM

Posted 19 March 2010 - 12:51 PM

LOL I really am NOT trying to be difficult, but Norton doesn't work well with 64 bit Vista. You would do well to use the Norton uninstall utility and get rid of it as well. Again I speak from painful experience. If they spent as much on R&D as they did on marketing Norton/Symantec would rule the anti-malware world. There are many good free AV programs available. Right now I'm pretty sold on Microsoft Security Essentials. I installed it against my better judgment lol, but it has performed admirably. It also seems to leave a very small footprint. To say I'm surprised is a massive understatement.

#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:35 AM

Posted 19 March 2010 - 04:52 PM

In all honesty I would remove Norton.

#13 Setharoth

Setharoth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 19 March 2010 - 05:14 PM

If I could return it, I would.

MSE would be my pick at the moment, but for the next year my subscription runs for, I'll give it a shot.

Now.... Getting steam to work with it... ( I'm assuming its smart 'firewall' is why I can't connect to the steam network ).

Seth

#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:35 AM

Posted 19 March 2010 - 05:21 PM

Steam and Norton do not play well with each other.

#15 Setharoth

Setharoth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 19 March 2010 - 05:38 PM

Seems to be fine now. I restarted steam, checked the norton log, has auto-added entries for it, and steam is now downloading a game.

Time will tell I guess, but I plan on at least trying to make it work.

Seth




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users